Skip to main content
barisben
barisben
New Member
January 2, 2025
Question

Issue with dot1x on FortiNAC

  • January 2, 2025
  • 1 reply
  • 1792 views

Hey,

 

I configured dot1x on FortiNAC with these and trying with Aruba AOS-CX Switch; (Winbind joined and Radius services running)

 

 

Screenshot_2.pngScreenshot_3.pngScreenshot_4.pngScreenshot_5.pngScreenshot_6.png

 

When I try to connect, I see logs with the correct username but FortiNAC does not send reply packet.

 

 

10:38:54.579232 IP (tos 0x0, ttl 62, id 13822, offset 0, flags [DF], proto UDP (17), length 199)     10.8.4.4.35733 > trnacsr01.test.local.radius: RADIUS, length: 171         Access-Request (1), id: 0x30, Authenticator: 4be24ae1715b87beb75e8daa5fd19d8f           User-Name Attribute (1), length: 23, Value: TEST\baris.yilmaz           Calling-Station-Id Attribute (31), length: 19, Value: E8-80-88-E9-46-69           NAS-Port-Type Attribute (61), length: 6, Value: Ethernet           NAS-Port-Id Attribute (87), length: 8, Value: 1/1/23           NAS-Port Attribute (5), length: 6, Value: 23           Service-Type Attribute (6), length: 6, Value: Framed           EAP-Message Attribute (79), length: 28, Value: ..           Message-Authenticator Attribute (80), length: 18, Value: ..SD.=8..z..V.0.           Called-Station-Id Attribute (30), length: 19, Value: EC-50-AA-2C-6B-80           NAS-Identifier Attribute (32), length: 12, Value: TRTESTSW03           NAS-IP-Address Attribute (4), length: 6, Value: 10.8.4.4 10:38:59.582905 IP (tos 0x0, ttl 62, id 14204, offset 0, flags [DF], proto UDP (17), length 199)     10.8.4.4.35733 > trnacsr01.test.local.radius: RADIUS, length: 171         Access-Request (1), id: 0x30, Authenticator: 4be24ae1715b87beb75e8daa5fd19d8f           User-Name Attribute (1), length: 23, Value: TEST\baris.yilmaz           Calling-Station-Id Attribute (31), length: 19, Value: E8-80-88-E9-46-69           NAS-Port-Type Attribute (61), length: 6, Value: Ethernet           NAS-Port-Id Attribute (87), length: 8, Value: 1/1/23           NAS-Port Attribute (5), length: 6, Value: 23           Service-Type Attribute (6), length: 6, Value: Framed           EAP-Message Attribute (79), length: 28, Value: ..           Message-Authenticator Attribute (80), length: 18, Value: ..SD.=8..z..V.0.           Called-Station-Id Attribute (30), length: 19, Value: EC-50-AA-2C-6B-80           NAS-Identifier Attribute (32), length: 12, Value: TRTESTSW03           NAS-IP-Address Attribute (4), length: 6, Value: 10.8.4.4

 

1 reply

ebilcari
Staff
ebilcari
Staff
January 2, 2025

Firstly you may not need the Authentication Policy, there is common misconception about it, you can read more about it in this discussion.

Is the authentication port configured to be 1812 in FNAC under RADIUS configuration and is the switch modeled using the IP 10.8.4.4?

Some helpful logs can be read from GUI in RADIUS > View Logs, Service Log.

Emirjon
    barisben
    barisbenAuthor
    New Member
    January 2, 2025

    Okay, I deleted the Authentication Policy. Auth port configured 1812 and switch modeled for sure. Will edit for logs.

     

     

    ebilcari
    Staff
    ebilcari
    Staff
    January 2, 2025

    Can you specify the FNAC version that is currently running? Is there any other existing network device that is currently doing successful RADIUS authentication with FNAC?

    The content in the logs is related to this behavior and can be ignored. You can also temporary increase the debug level in 'Service Log Debug'.

    Emirjon
      Terms & ConditionsAccessibility statement